The latest versions of UC Browser and UC Browser Mini Android apps are vulnerable to spoofing attacks. Read on to know more about it…
Since the introduction of the UC Browser, it has become one of the most popular browsing apps with 600 million users globally. Although the UC Browser Android app is popular, recent URL spoofing attacks have raised many questions on the security and vulnerability of the users’ data.
The latest versions of UC Browser and UC Browser Mini Android apps are vulnerable to spoofing attacks.
About URL Spoofing Attacks
URL spoofing is an attack that allows an attacker to change to URL displayed in the address bar of a web browser. By spoofing the URL, the attacker tricks the users into thinking that they are visiting a website controlled by a trusted party.
Discovered by a security researcher named Arif Khan, the flaw affects UC Browser 220.127.116.114 and UC Browser Mini 18.104.22.1682. These versions have over 500 million and 100 million installs respectively on the Google PlayStore.
“This vulnerability allows any attacker to pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making a user visit www[.]google[.]com[.]blogspot.com/?q=www[.]facebook.com,” said Arif in a blog post.
“URL spoofing is the worst possible phishing attack, because the address in the address bar is the only way to identify the site a user has visited,” Khan said.
Researcher Arif explained that the security issue is because of regex checks in some mobile browsers. The browser’s regex only check if the URL begins with a string like www[.]google[.]com, instead of checking the complete URL. This allows attackers to leverage this behavior and spoof the URL.
“The fact that their regex rules just match the URL string, or, the URL any user is trying to visit a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com,” Arif noted.
The CVE number for the issue has not yet been assigned. The firm has also been informed about the issue.
Arif mentioned that some old and other versions of UC Browsers are still not vulnerable to this issue, a fact which is rather confusing. Perhaps it means that a new feature might have been added to the browser recently which is causing the vulnerability.
Arif also reported the vulnerability to the UC Browser security team, and the issue was not yet addressed, they have set an Ignore status on the report.